Professional Documents
Culture Documents
Fortinet, FortiGate, and FortiGuard are registered trademarks of Fortinet, Inc. in the U.S. and other
jurisdictions, and other Fortinet names herein may also be trademarks, registered or otherwise, of
Fortinet. All other product or company names may be trademarks of their respective owners. Copyright
2002 - 2016 Fortinet, Inc. All rights reserved. Contents and terms are subject to change by Fortinet
without prior notice. No part of this publication may be reproduced in any form or by any means or
used to make any derivative such as translation, transformation, or adaptation without permission from
Fortinet, Inc., as stipulated by the United States Copyright Act of 1976.
Table of Contents
APPLICATION SECURITY ...............................................................................1
Application Challenges to Meeting User Needs .....................................................................1
Application Layers: The OSI Model ..............................................................................................................2
Application Security
Threats are constantly evolving, so network security technologies and methods must evolve too. Threats
to application securityincluding Bots, Ransomware, Advanced Persistent Threats (APTs), viruses, and
Spamhave a heavy content component, and are not just focused on the physical and data layers. In
this context, content refers to packet payload analysis and how they are transportedin particular, layers
3-7 of the Open Systems Interconnection (OSI) Model. Table 1 [1] shows a comparison of the models for
layers and protocols.
These threats focus on the application content component and transport, rather than on the link and
physical components. Therefore, firewalls designed to protect, load balance, and accelerate content
between web servers are necessary. The Web Application Firewall (WAF) is designed to provide
protection for web applications and related database content [2]. In order to better understand the type of
threats that the WAF faces in protecting networks, we will examine the vulnerable areas that are targeted
by application threats.
SSL traffic poses a challenge because legacy servers and load balancers cannot manage the increased
loads caused by increased SSL traffic. In order to detect potential malicious code attempting to sneak into
the network in encrypted data packets, the SSL traffic must be decrypted, scanned, and then reencrypted.
Scalability is the concept of enabling a system, network, or application to handle a growing volume of
work in an efficient manner. Scalability may be accomplished by using hardware, software, or a
combination of both, to improve availability and reliability by:
Managing data flow and workload across multiple servers to increase capacity
Allocating data across multiple data centers to facilitate redundancy and recovery
Applications allow users to accomplish tasks using computer systems and networks. Common
applications include word processing, spreadsheets, graphics design programs, email applications,
games, and media. Many applications may apply across platforms, from wired desktop systems to
smartphones and others. Many of these applications are now web-based such as Infrastructure as a
Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
Application Vulnerabilities
Applications are widely used by both business users and private consumers. If application threats infect
the systems of multiple private users who interface with organizational networks, they have the potential
for repeated instances. These threats can come in through innocuous sources such as customers,
clients, or those using a BYOD model who fail to complete regular security screenings on their
equipment. These threats can also come from an outside competitor, malcontent, or hacker.
OWASP
Fortunately, there is a global project that assists application developers and system and network security
administrators in identifying and understanding prevalent and emerging application security threats. This
project is the Open Web Application Security Project (OWASP) and is supported by an OWASP
Foundation in the United States.
OWASP is an open community dedicated to enabling organizations to conceive, develop,
acquire, operate, and maintain applications that can be trusted. All of the OWASP tools,
documents, forums, and chapters are free and open to anyone interested in improving
application security Our freedom from commercial pressures allows us to provide
unbiased, practical, cost-effective information about application security. OWASP is not
affiliated with any technology company, although we support the informed use of
commercial security technology. [3]
One of the primary studies done by OWASP is the cataloging and ranking of the most prevalent
threats in web applications. A comparison of the 2010 and 2013 findings appears in Table 4.
The OWASP analysis shows a consistent top four application threats to system and network security:
SQL Injection
The OWASP analysis also indicates which threats have increased and declined, indicating trends that
may assist security administrators in determining the most effective system and network configurations.
SQL Injection. Insertion or injection of an SQL query through data input from the client to the application.
This type of attack may allow attackers to spoof identities, tamper with or delete data, change or void
transactions, enable complete disclosure of the systems databaseor destroy it or make it unavailable,
or even become a new database server administrator. It is common with PHP and ASP applications, less
likely with J2EE and ASP.NET applications. Severity depends on the attackers creativity and computer
skills, but has the potential to be devastating. SQL Injection is a high impact threat.
Cross-site Scripting (XSS). Also referred to as XSS Injection, malicious scripts are injected into
otherwise benign and trusted web sites, generally in the form of browser side scripts to be transmitted to
end users. Because the end users browser regards the site as trusted, it will execute the script, allowing
access to any cookies, session tokens, or other information retained by the browser and used with the
site. Some of these scripts are even capable of rewriting content on HTML pages.
Broken Authentication & Session Management. This area includes all aspects of user
authentication and active session management handling. Even robust authentication protocols may be
undermined by flawed credential management functions, such as password changing, forgot my
password and remember my password options, account update options, and other functions. The
complexity of this issue comes from the fact that many developers prefer to create their own session
tokens. These tokens may not be properly protected, or steps may not be in place to protect them
throughout the applications life cycle. If they are not protected with SSL and against other flaws (such
as XSS) an attacker can hijack the users session and assume their identity.
10
11
Heuristics
One of the key features that enables WAFs to counter DDoS threats is heuristicor behavior-based
analysis. Behavior-based DDoS protection measures require different mitigating parameters than
12
13
14
15
Key Acronyms
Key Acronyms
AAA
ICMP
Accounting
ICSA
AD
Active Directory
Association
ADC
ID
Identification
ADN
IDC
IDS
AM
Antimalware
IM
Instant Messaging
API
IMAP
APT
ASIC
ASP
IoT
Internet of Things
ATP
IP
Internet Protocol
AV
Antivirus
IPS
Secure
AV/AM Antivirus/Antimalware
IPTV
CPU
IT
Information Technology
J2EE
DLP
LAN
DNS
DoS
Denial of Service
LLB
DPI
LOIC
DSL
MSP
FTP
FW
Firewall
Gb
Gigabyte
NSS
NSS Labs
GbE
Gigabit Ethernet
OSI
Gbps
OTS
PaaS
Platform as a Service
GUI
PC
Personal Computer
Infrastructure as a Service
PHP
16
Key Acronyms
POE
SWG
SYN
QoS
Quality of Service
Message Logging
TCP
RDP
SaaS
Software as a Service
SDN
Software-Defined Network
TLS
SEG
SFP
SFTP
SIEM
SLA
SM
Security Management
SMB
SMS
SQL
SSL
Layer Authentication
UDP
URL
USB
UTM
Virtual Machine
VoIP
VPN
WAF
XSS
Cross-site Scripting
17
Glossary
Glossary
ADC. An Application Delivery Controller (ADC) is a network device that manages client connections to
complex Web and enterprise applications. An ADC essentially functions as a load balancer, optimizing
end-user performance, reliability, data center resource use and security for enterprise applications. An
ADC can be physical (hardware appliance) or virtual (software program).
ADN. An Application Delivery Network (ADN) is a suite of technologies that together provide application
availability, security, visibility, and acceleration. Gartner defines Application Delivery Networking as the
combination of WAN Optimization Controllers (WOCs) and Application Delivery Controllers (ADCs) [8]. At
the data center end of an ADN is the Application Delivery Controller (ADC). In the branch office portion of
an ADN is the WAN optimization controller (WOC), which shapes TCP traffic using prioritization and other
optimization techniques.
APT. An Advanced Persistent Threat is a network attack in which an unauthorized person gains access
to a network and stays there undetected for a long period of time. The intention of an APT attack is to
steal data rather than to cause damage to the network or organization. APT attacks target organizations
in sectors with high-value information, such as national defense, manufacturing and the financial industry.
Bot. An Internet bot, also known as web robot, WWW robot or simply bot, is a software application that
runs automated tasks over the Internet. Typically, bots perform tasks that are both simple and structurally
repetitive, at a much higher rate than would be possible for a human alone. The largest use of bots is
in web spidering, in which an automated script fetches, analyses, and files information from web servers
at many times the speed of a human.
DoS. Denial of Service (DoS) attacks aim increasingly at denying use of a network to outside users by
flooding it with useless traffic, often exploiting limitations in the TCP/IP protocols. For all known DoS
attacks, there are software fixes that system administrators can install to limit the damage caused by the
attacks; however, like viruses new DoS attacks are constantly being developed.
DDoS. Distributed Denial of Serivce (DDoS) attacks are a type of DoS attack where multiple
compromised systems, which are often infected with a Trojan, are used to target a single system causing
a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all
systems maliciously used and controlled by the hacker in the distributed attack.
NGFW. Next Generation Firewall provides multi-layered capabilities in a single firewall appliance instead
of a basic firewall and numerous add-on appliances. NGFW integrates the capabilities of a traditional
firewall with advanced features including:
Access Enforcement
Distributed Enterprise
Capability
18
Glossary
VPN
Application Awareness
OWASP. The Open Web Application Security Project (OWASP) is an open community dedicated to
enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be
trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone
interested in improving application security.
Ransomware. Ransomware is a form of malware in which rogue software code effectively holds a user's
computer hostage until a "ransom" fee is paid. Ransomware often infiltrates a PC as a computer worm or
Trojan that takes advantage of open security vulnerabilities. Upon compromising a computer,
ransomware will typically either lock a user's system or encrypt files on the computer and then demand
payment before the system or files will be restored.
Spam. Spam is usually considered to be electronic junk mail or junk newsgroup postings. Some people
define spam even more generally as any unsolicited email. Spam is generally email advertising for some
product sent to a mailing list or newsgroup.
Virus. A computer virus is a program or piece of code that is loaded onto your computer without your
knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are
man-made. A simple virus that can make a copy of itself over and over again is relatively easy to
produce. Even such a simple virus is dangerous because it will quickly use all available memory and
bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself
across networks and bypassing security systems.
VPN. Virtual Private Network (VPN) is a network that is constructed by using public wires usually the
Internet to connect to a private network, such as a company's internal network. VPNs use
encryption and other security mechanisms to ensure that only authorized users can access the network
and that the data cannot be intercepted.
Web Application Firewall (WAF). A WAF is designed to provide protection for web applications and
related database content.
UTM. Unified Threat Management (UTM) provides administrators the ability to monitor and manage
multiple, complex security-related applications and infrastructure components through a single
management console. The advantage to UTM is that it goes beyond the NGFW focus of high
performance protection of data centers by incorporating a broader range of security capabilities as either
cloud services or network appliances, integrating:
Content Filtering
Anti-Malware
VPN Capabilities
SSL/SSH Inspection
Anti-Spam
Load Balancing
Application Awareness
19
Glossary
Identity-based Application
Control
20
References
References
1.
2.
Tam, K., et al., UTM Security with Fortinet: Mastering FortiOS. 2013, Waltham, MA: Elsevier.
3.
OWASP. About the Open Web Application Security Project. 2014 [cited 2014 October 31];
Available from: https://www.owasp.org/index.php/About_OWASP.
4.
Maiwald, E., Network Security: A Beginner's Guide. 3rd ed. 2013, New York, NY: McGraw-Hill.
5.
Nichols, S. Peak IPv4? Global IPv6 traffic is growing, DDoS dying, says Akamai. The Register,
2014.
6.
Rouse, M. Application Delivery Controller. Essential Guide 2013 [cited 2014 October 15];
Available from: http://searchnetworking.techtarget.com/definition/Application-delivery-controller.
7.
8.
Gartner, Gartner Says Worldwide Application Acceleration Market Will Reach $3.7 Billion in 2008.
2006, Gartner: Stamford, CT.
21